httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: Segfault in openssl's err_cmp when using SSLCryptoDevice and new SSLProxyMachineCertificateChainFile
Date Fri, 03 Feb 2012 18:27:28 GMT
On 03/02/2012 17:45, Daniel Ruggeri wrote:
> On 2/2/2012 1:02 PM, Daniel Ruggeri wrote:
>> Since this happens with every attempt to start, I suspect it has nothing
>> to do with the new directive and more to do with something I did on the
>> openssl build.
> I was, indeed, doing something stupid. A build with openssl 1.0.0g
> replicates the behavior of 0.9.8g in that it fails when
> SSLProxyMachineCertificateChainFile is enabled. The annoying part is
> that (due to the error I get when running in dbx) I can get no useful
> information in a debug session from Solaris.
> ... so I've switched to RHEL and gdb and have interesting information.
> Under Linux, I get this error on init:
> [Fri Feb 03 10:56:21 2012] [error] Init: Failed to enable Crypto Device
> API `chil'
> [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 2164682852
> error:81067064:CHIL engine:HWCRHK_INIT:already loaded
> [Fri Feb 03 10:56:21 2012] [error] SSL Library Error: 638287981
> error:260B806D:engine routines:ENGINE_TABLE_REGISTER:init failed
> This only happens when SSLProxyMachineCertificateChainFile is set....
> With some quick debugging I see that the hwcrhk_finish DOES NOT get
> called during ssl_cleanup_pre_config... but DOES get called when the
> directive has been removed. To me, it looks like httpd has not
> registered the engine for cleanup, but that certainly shouldn't be
> impacted by this patch. It seems something in the process of loading the
> store is complicating things.
> I'll continue poking around, but pointers are certainly appreciated.

Hmm... the ENGINE code is careful not to shutdown an ENGINE if keys exist which
make use of it.

So there is a possibility that the some chain verification leaves a reference to
an RSA key which prevents the ENGINE from closing down completely.

In engines/e_chil.c try commenting out the line containing

Only side effect of doing that is you will only get numerical error codes and
not error strings.

Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775

View raw message